InfoSec Handlers Diary Blog

I am seeing a large amount of spam hit our network that has been successful at fooling our spam filter. The
emails contain .zip and .html extensions with various file names. The subject also varies. Some subjects
that I have seen are:

The zip file is being analyzed to determine what payload may be involved. You may want to remind your email
users to refrain from opening any attachments that they weren't expecting to receive.

UPDATE: We have received some information from one of our readers that the zip file that he received contained
a multiple exploit-kit downloader. He indicated that there are over 120,000 successful downloads of the exe file.
They have discovered that IP address 173. 204. 119 . 122 is where the file appears to be hosted at and is being
updated with new binaries consistently. The downloader appears to grab a few files with random file names and
have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com. Jason indicates that all files appear
to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.

Many thanks to Jason for supplying us with the information.

We also have received a report of emails that are hitting which tell the recipient that they letter cannot be opened
due to low screen resolution. It says that they need to open the attached zip file for the message. Again the filename
for the zip file varies. Thanks to Jason R for this information.